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We use the entanglement sampling techniques developed by Dupuis, Fawzi and Wehner (T) to find a lower 
bound on the entanglement needed by a coalition of cheaters attacking the quantum position verification protocol 
using the four BB84 states (2l[3l (QPVbb 84) in the scenario where the cheaters have no access to a quantum 
channel but share a (possibly mixed) entangled state For a protocol using n qubits, a necessary condition for 
cheating is that the max- relative entropy of entanglement -Emax($) > n — 0(log n). This improves previously 
known best lower bound by a factor ~ 4, and it is essentially tight, since it is vulnerable to a teleportation based 
attack using n — 0(1) ebits of entanglement. 


PACS numbers: 03.67.Dd, 03.67.Mn, 89.70.Cf 

The very first (classical) position verification (PV) protocols 
have been distance bounding protocols, introduced in 1993 
10] to prevent man-in-the-middle attacks. Based on the speed- 
limit c on information propagation imposed by special rela¬ 
tivity, they can only work when the prover P and the verifier 
V are close, and are useless against nearby malicious adver¬ 
saries M, i.e. when distance(M,V) < distance(P, V) IS). 
PV protocols by a coalition of distant verifiers {Vi} are there¬ 
fore needed in such situation, as they allow to build localized 
authentication protocol, but also many other cryptographic ap¬ 
plications, like key distribution at a specific place 0. How¬ 
ever, Chandran et al. have shown in 2009 0 that no classical 
PV protocol can be computationally secure against a coalition 
{ Mi) of malicious pro vers. They only found a protocol secure 
in the bounded retrieval model. 

Quantum position verification (QPV) protocols appeared the 
next year in the scientific literature, with publications of three 
independent teams E a EHIol. Even in the quantum case, 
unconditional security is unattainable 0, and a universal at¬ 
tack using an exponential amount of entanglement as been 
found by Beigi and Konig in. To guarantee the security of a 
QPV protocol one either need a computational hypothesis 03 
or a bound on the quantum entanglement shared between the 
cheaters mMMM- 

The present work is in the latter framework, where the 
cheating coalition {Mi} only has access to a limited amount of 
entanglement. Despite the exponential universal attack im, 
all lower bounds found so far have been linear iniiii or sub- 
linear Eini. To our knowledge, the protocol showing the 
best security in this framework is the protocol using mutually 
unbiased bases QPV^ubs proposed by Beigi and Konig in IfTTI . 
A n-qubits implementation of QPVmubs is secure against ad¬ 
versary holding less that n/2 ebits. However, QPV^ubs needs 
the coherent manipulation of n qubits and is therefore impos¬ 
sible to implement with present day technologies. 

QPVbb 84 , introduced in E0 and defined below, is ex¬ 
perimentally much simpler since it essentially uses quantum 
key distribution components Gsiiia, and Tomamichel et al. 
M have proved its security against adversary holding less 
than — log2(cos^(7r/8)) • n ~ 0.22845 • n ebits of entangle¬ 
ment. We improve this bound to n — O(logn) ebits. Since 
a teleportation-based explicit attack using n — 0(1) ebits is 


known ll^fTSll. this bound is tight. 

We start this letter by giving some useful properties of the 
min-entropy iTmin and the max- relative entropy of entan¬ 
glement Timax, a related entanglement monotone. Since our 
security proof is based on an adaptation of the entanglement 
sampling based security proof HI of weak string erasure (WSE) 
in the noisy storage model (NSM), we then describe this pro¬ 
tocol. We then show its security the noisy entanglement model 
(NEM) and use it to show the security of QPVbb 84 - 

In the following 5(A) is the set of quantum states of the 
system A. 

Definition 1 (min-entropy). Let g G S(AB) be a bipartite 
state. The conditional min-entropy H^i^(A\B)g is 

Hniin{A\B)g := — inf inf {A S K : p < 2^1^ (g) r} 

The following property shows the conditional min-entropy 
of a classical-quantum (cq) state is essentially the logarithm 
of the probability to guess the classical part from the quantum 
part. 

Property 2. theorem 1] Let g G S{XB) be a cq-state, 
i.e. a state of the form g = I*) (^1 ® Tr Tx G 

S{B)\/x. Then, 

Pi^min{X\B'j g = \o^2Pguess{X\B') g^ 

where Pgue.tsiX\B)g) is the maximal probability of guessing 
the value of X from an optimal measurement on B. 

The max- relative entropy of entanglement has been intro¬ 
duced by Datta ifTSll as an entanglement monotone closely re¬ 
lated to iVniin- 

Definition 3 (max- relative entropy of entanglement). Let 
g G S{AB) be a bipartite state. Its max- relative entropy 
of entanglement is noted £'niax(p)A;B or Emax(A; B)g and is 

Ema.^{A; B)g := inf inf {A e K : p < 2'^tT} 
where D is the set of separable states ofS{AB). 
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Property 4 (monotony of E'max)- m theorem 1 ] The max- 
relative entropy of entanglement -Emax is an entanglement 
monotone, i.e. it can only decrease under local operations and 
classical communications (LOCC). More formally, let A be 
completely positive trace preserving (CPTP) map S{AB) —>■ 
S{A'B') which can be achieved through LOCCs. 

^n\ax{,Q')A\B ^ ^n\ax{,A{^Qf)A'',B' 

In order to establish the theorem|^linking E’max and i/min, 
we will need the following lemma ; 

Lemma 5. Let 'D{A:B) C S{A,B) be the set of separable 
states, i.e. the convex hull of the set of product states iS(A) 0 
S{B). For any state a € T>(A:B), there exists a state r € 
S{B) such that cr < I 0 r. 

Proof Let a G 2?(A; B), there exists a mixture {pi, T\^Tg}i 
of states of 5(A) 0 S{B) such that 


a = ^PiT\® t'b 

i 

since cr G V^A-.B) 

< ^ pAa ® Tb 

since Vi, < 1a 


defining t — '^piT^ 


i 


Theorem 6. For any bipartite state g G S(AB). 

Eraax{A]B)g > —ff„iin(A|i?)g 


1 . Ai choses uniformly at random AT" = {xi]i and 0” = 
two bit strings of length n. 

2. Bi choses uniformly at random 0" = {'di}i, a bit string 
of length n. 

3. Ai sends to Bi the quantum state H'^' \xi), where 
H is the Hadamard operator and {|0), |1)} the compu¬ 
tational basis of a qubit. It is the BB84 encoding of the 
string in the basis 0”. 

4. Bi measures the qubits in the bases 0", and gets the 
string X". 

5. Both parties wait the time At. The classical memo¬ 
ries of Alice and Bob corresponds to classical channels 
allowing Ai to send {X",0"} to A 2 and Bi to send 
{X",0"} to B 2 . 

6 . A 2 sends 0" to B 2 . 

7. B 2 computes I = {i : di = tJi} and 

We are interested here by the correctness of the protocol, 
but only by its security against a dishonest Bob. 

Definition 7. A WSE protocol is X-secure against Bob if the 
probability for B 2 to correctly guess the string X" is smaller 
than 2“”^. More formally, letC{/K 2 , B 2 ) be the set of all pos- 
□ sible states (Ta 2 ,B 2 which can be obtained at the end of the 
protocol if Alice follows it but Bob is dishonest. The protocol 
is secure for Alice if, Vtr G C(A 2 , B 2 ), 

ii 7 „,i„(A"|B 2 ). > A. 


Proof For any separable state a G T>{A : B), there exists a 
state T G S{B) such that 

Q < (from definition!^ 

< 2ETaaAXB)gj^ ^ .j. (lemmaj^ 

The definition of — iTmin as lower bound (definition!^ then 
implies H^i^{A\B)g 

^ £/max {A-B)g. □ 

Now that we have the relevant properties of Hmin and 
Emax, we Study the weak string erasure (WSE) protocol. It 
was introduced, together with the noisy storage model (NSM) 
by Konig et al. lfT9ll to build secure bipartite protocols. The 
NSM is based on a technological limit imposed on quantum 
memories : after a delay At, the quantum state they can hold 
decoheres and becomes noisy. In this model, a protocol is 
split in two phases. A bipartite protocol involving the tradi¬ 
tionally named Alice (A) and Bob (B) can therefore be seen 
as a quadripartite protocol between two coalitions : it first in¬ 
volves early-Alice (Ai) and early-Bob (Bi), and then, after 
At, later-Alice (A 2 ) and later-Bob (B 2 ). A noisy quantum 
memory held by Bob is then modeled by a noisy quantum 
channel F : Bi -G- B 2 . 

The WSE protocol proposed in m can be described as fol¬ 
lows, for honest Alice(s) and Bob(s): 


Instead of the A-security, which ensures exponential secu¬ 
rity with n as long as A > 0, one can also be interested in the 
e-security for a fixed n : 

Definition 8. A protocol is e-secure iff, for any possible dis¬ 
honest strategy, the probability Pcheat for a dishonest adver¬ 
sary to win is Pcheat < £■ 

Lemma 9. For a protocol like WSE or where the goal 

of the cheater is to guess a classical string A", X-security and 
e-security are equivalent notions when 

e = 2-’^^oA = -Alog2e 

Proof This follows directly from the definitions and property 

El □ 

In the NSM model, a dishonest Bob changes the above pro¬ 
tocol in the following way: 

!4l Bi performs a generalized measurement on the qubits, 
obtaining a joint cg'-system CQi. 

!5] During the At wait, Bi stores this state in his mem¬ 
ory. While the classical memory is perfect, the quan¬ 
tum memory is described by the noisy channel F, and 
B 2 obtains CQ 2 = (I 0 F)(C'(5i). 
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| 7 ] At the final step, the global quantum state is cr € 
iS(X” 0”C'(52), where A2 holds the classical informa¬ 
tion X” and B2 has access to the classical information 
©”( 7 , as well as to the quantum information Qi- B2 
tries to guess from <d'^CQ2 and the security of the 
protocol is measured by H^in{X^\Q^CQ2)a- 


operations specified by the protocol, as well as the ones al¬ 
lowed in the NEM, are LOCCs according to the A1A2B1 : B2 
split. We have therefore 

-i^max($) < --Einax(CT),4";C’Q2 (pfOpertyj^ 

< H^in{A'^\CQ2)a (theorem|6]l, 


Theorem 10. ffl] theorem 14 ]) Let Bob storage device F have 
a maximal fidelity, as defined in lEI/, upper bounded by rj. The 
WSE protocol defined above is X-secure for 

^<i[7(-l-^log27)-i], 

where 7 is the function defined by 

^min if ^min ^ 2 

9 (^min) if hmin 2; 


where a denotes the state shared by A2 and B2 just before 
their measurements. 

Applying the monotonously increasing function 7 leads us 
to 

7(-7^max(l>)) < 7(7^min(7l"|CQ2).) 
LemmapT|then gives 

< ^Hmin{X^\e^CQ2) + 


g{a) := h{a) + a—l; h{a) := —a log2 a — (1 — a) log2(l— 
a) is the binary entropy function. 

We defer the reader to 12 for the proof of this theorem. We 
will now reformulate it in a slightly different security model, 
the noisy entanglement model (NEM). 

In the NEM, Ai, A2, Bi and B2 are actually four differ¬ 
ent persons, localized at different places and connected with 
(unlimited) classical channels Ai —^ A2 and Bi B2. The 
protocol WSE is the same as described above, except that there 
is no specific Af at the step|^ Bi and B2 also share a (possibly 
mixed) entangled state ^Qi,Q 2 instead of a quantum channel 
F. The two models are obviously related, since one can cre¬ 
ate a state $ by transmitting it through F, and one can create 
a channel F through teleportation, using <!> and the unlimited 
classical channel. 

We now adapt theorem 


10 to NEM, exactly following 


Dupuis et al.’s proof m until their corollary 11 and slightly 
changing it after. As usual, we study the equivalent entan¬ 
gled protocol, where Ai prepares a maximally entangled state 
1$+)®^,, sends the A'” half to Bi and gives the A" half to 
A2. A2 finds the string X" by measuring A" in the basis 0 ". 


Lemma 11. /[T] corollary 11 ] With the notations above, and 
7 defined in theoremW^ we have 


which with some reordering and the definition | 7 ] of A con¬ 
cludes the proof. □ 

Corollary 13. Let £ > 0 . WSE is e-secure in the NEM if 

i^max(^) <n- s- nh[^) 

where s := 1 — 2 log2 £ and e is the basis of the natural loga¬ 
rithm. A slightly more stringent sufficient condition is : 

-Emax($) <n- S l0g2 « -f S log2 ^ 

Proof. According to theoremf^ the protocol is A-secure for 


7( i-E^max($)) n 


> A 


7( i^max(^)) > ^ + 2A 

= W “ W e (lemmaig 

_. ^ 

n 

applying p = 7“^ to both sides leads to 

— 7^'max(^) > 

^^max($) < -ng{i) =n- s- nh[^) 


Hmm{X^\Q'^CQ2). > i [ny{lHmUA^\CQ2)a) - 1] 


We can now show the security of WSE in NEM : 


Theorem 12. Let the dishonest Bobs share a (possibly mixed) 
entangled state $ € S{Bi, B2). In the NEM, the WSE protocol 
defined above is X-secure if 


X < 


1 

2 


7(-7^max($)) 


1 

n 


Proof. We will look at the entanglement between B2 and the 
other partners A1A2B1. The only entanglement which exists 
at the beginning of the protocol comes from Then all the 


which gives the first inequality of the theorem. 

A straightforward study of the binary entropy functions 
shows that < s log2 n — s log2 A Substituting this ex¬ 
pression in the above equation concludes the proof. □ 

We have now all the elements to prove the security of a QPV 
protocol. Eor the sake of simplicity, we limit ourselves to the 
unidimensional case. In this case a QPV protocol involves two 
verifiers {Vi, V2} and a prover P between them. The QPVBBg4 
protocol lO can be described as follows 

1. Vi and V2 privately chose the strings X" and 0". 

2 . Vi sends to P the quantum state \xi). 
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3 . V2 sends 0 " to P. 

4 . P receives the messages of {Vi,V2} simultaneously. 
He measures the qubits in the base 0 ” and obtains 
X" = X". He immediately broadcasts X" to 
{Vl,V2}. 

5 . {Vi, V2} accept P’s position iff X” = X" and if they 
receive this information on time 

The timing is such that P has to be at the right place to receive 
both the qubits and 0”, and then broadcast the measurement 
result to Vi and V2 on time. We refer the reader to Q for a 
precise definition of the timing and the correctness condition, 
as we are mainly concerned by the cheating strategies. 

We now study the security of this protocol against a coali¬ 
tion of two malicious cheaters {Mi, M2}, Mi (resp. M2) 
being closer to Vi (resp. V2) than P is supposed to be. 
The timing constraints allow them a single round of classical 
communications. In the NEM they have access to no quan¬ 
tum communications, except an initially shared bipartite state 
$ G S(Mi, M2). Note that an access to a quantum informa¬ 
tion channel of finite entanglement cost ll20l can be brought 
in this model trough the corresponding state $. The possible 
action of the cheaters are: 

1. Ml performs a generalized measurement on the qubits 
sent by Vi and his half Mi of the state T*. He gets a 
classical quantum system CiQi and sends Ci to M2 

2 . Depending on 0 ", M2 performs a generalized measure¬ 
ment on his half M2 of the state $. He obtains a C2Q2 
and sends (^2 to M1 

3 . Receiving Ci±i, M^ extracts his best guess X" from 
CiC2Qi and sends it to 

This looks like an attack on WSE in the NEM, where 
{Viji = {Aiji and {Miji = {Bjji, with the supplementary 
requirement that Mi = Bi has also to output X". In particu¬ 
lar, it means that any attack on QPVbb 84 leads to an attack on 
QPVbb 84 in NEM, leading us to our main result: 

Theorem 14. ^P'^bb 84 A s-secure if the state $ shared by Mi 
and M2 verifies 

Xi„ax($) <n - s- nh[^) 

where s := 1 — 2 log2 e and e is the basis of the natural loga¬ 
rithm. A slightly more stringent sufficient condition is : 

-Einax($) <n- S l0g2 U S log 2 ^ 

Proof Corollary [T^ ensures that WSE is e-secure in the NEM 
against adversaries using $ as resource. We will now prove 
by contradiction that QPVbb 84 is also e-secure. 

Let us suppose it is not the case: M1 and M2 have a cheating 
strategy winning in QPVbb 84 with probability > e. They 
can use this strategy as Bi and B2 in a WSE protocol, without 
the M2 —7- Ml communication and the final broadcasts of X", 


and using Xf as guess for X". Their probability to cheat WSE 
is -Pcheat = P{^2 = ^”) > > S' ^^E is uot E-secure, 

which is contradictory with corollary [O] 

Therefore, QPVbb 84 is e-secure. □ 

We have shown the security of the practical protocol 
QPVbb 84 in one dimension against a coalition of cheaters shar¬ 
ing an entangled state of max- relative entropy of entangle¬ 
ment E'„iax( 4 >) < n — O(logn). This bound is the best 
known to date for a QPV protocol and is essentially tight for 
QPVbb 847 since an attack using n—0(1) ebits is known ||^fT 3 l . 
While this method probably generalizes to the multidimen¬ 
sional case using tools from ca, as well as to other protocols, 
like QPVmubs ifTTIl and non-Pauli variants of QPVbb 84 
it will not approach the exponential upper bound of these pro¬ 
tocols. This method is also useless when Mi and M2 have 
access to an unlimited quantum channel (but did not use it for 
some reason to share entanglement before the protocol starts), 
while the bound of ifiTll works in this case. 
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